Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
Resource
win10v2004-20240704-en
General
-
Target
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
-
Size
507KB
-
MD5
a00a34fd05e2621a1a5514f51f2f9fed
-
SHA1
1f39326ec6ae8734995b0e187a1ddf8d36ccde2f
-
SHA256
fcda68d2fa02bb2bb763b8b460aa4c487f6d17670f8177f9a2447e643fb2cd4c
-
SHA512
f66a9801dfef20654e6573f6242cfe6c1ad4c6a0683854aca1355fff40bba105aa2f15ee40c552ecd60bb20bc1562bf505386b0bb28c2ff3b94f1b3e6dc93a31
-
SSDEEP
12288:ayjoBI0TOBkmRk6M8a6XwnfgdBOcs1mW:1jTOOBkmi6Ha6XwodBOcN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2796 nsry4ag2bhpzheetuyo3w.exe 2908 ketidewiqka.exe 2748 ylnsruuxdcbc.exe 2580 ketidewiqka.exe -
Loads dropped DLL 6 IoCs
pid Process 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 2908 ketidewiqka.exe 2908 ketidewiqka.exe 2796 nsry4ag2bhpzheetuyo3w.exe 2796 nsry4ag2bhpzheetuyo3w.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\rkzvesaqtdq\dyhwrja ketidewiqka.exe File created C:\Windows\rkzvesaqtdq\dyhwrja ylnsruuxdcbc.exe File created C:\Windows\rkzvesaqtdq\dyhwrja ketidewiqka.exe File created C:\Windows\rkzvesaqtdq\dyhwrja 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe File created C:\Windows\rkzvesaqtdq\dyhwrja nsry4ag2bhpzheetuyo3w.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2908 ketidewiqka.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe 2748 ylnsruuxdcbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2796 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 30 PID 2312 wrote to memory of 2796 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 30 PID 2312 wrote to memory of 2796 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 30 PID 2312 wrote to memory of 2796 2312 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 30 PID 2908 wrote to memory of 2748 2908 ketidewiqka.exe 32 PID 2908 wrote to memory of 2748 2908 ketidewiqka.exe 32 PID 2908 wrote to memory of 2748 2908 ketidewiqka.exe 32 PID 2908 wrote to memory of 2748 2908 ketidewiqka.exe 32 PID 2796 wrote to memory of 2580 2796 nsry4ag2bhpzheetuyo3w.exe 33 PID 2796 wrote to memory of 2580 2796 nsry4ag2bhpzheetuyo3w.exe 33 PID 2796 wrote to memory of 2580 2796 nsry4ag2bhpzheetuyo3w.exe 33 PID 2796 wrote to memory of 2580 2796 nsry4ag2bhpzheetuyo3w.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\rkzvesaqtdq\nsry4ag2bhpzheetuyo3w.exe"C:\rkzvesaqtdq\nsry4ag2bhpzheetuyo3w.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\rkzvesaqtdq\ketidewiqka.exe"C:\rkzvesaqtdq\ketidewiqka.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580
-
-
-
C:\rkzvesaqtdq\ketidewiqka.exeC:\rkzvesaqtdq\ketidewiqka.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\rkzvesaqtdq\ylnsruuxdcbc.exeyaieh3tmtcsd "c:\rkzvesaqtdq\ketidewiqka.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD5af442c287fc5f45679fb442d63be6282
SHA109c5af2c5d47e4bf44f73f7799614acc8f5f9758
SHA256898304f9adf6eaae130c0de00f30296e20eed3a2c235afd098062e6e2d61e015
SHA512609d704c83deeb270b74c73622c3ed3d114a6456d55270f16e36248ed364196bc6c45b4192e4041c6814bca0489a4e907bde2dc25b20ff93db332a005ca4f9b4
-
Filesize
507KB
MD5a00a34fd05e2621a1a5514f51f2f9fed
SHA11f39326ec6ae8734995b0e187a1ddf8d36ccde2f
SHA256fcda68d2fa02bb2bb763b8b460aa4c487f6d17670f8177f9a2447e643fb2cd4c
SHA512f66a9801dfef20654e6573f6242cfe6c1ad4c6a0683854aca1355fff40bba105aa2f15ee40c552ecd60bb20bc1562bf505386b0bb28c2ff3b94f1b3e6dc93a31